The Colonial Pipeline ransomware attack: views from various cyber security experts
- Published: Wednesday, 12 May 2021 13:55
Over the weekend of 8th-9th May 2021, a cyber criminal group took one of the largest US fuel pipelines offline with a ransomware attack against the operator Colonial Pipeline. Cyber attacks on critical infrastructure have been on the risk registers of many nations and organizations and this attack shows how potentially damaging such incidents can be. In this article various cyber security experts give their thoughts on the attack…
Christine Gadsby, VP of Product Security, BlackBerry
It doesn’t matter whether you’re securing a gas pipeline or life-saving medical devices, securing critical embedded systems presents unique and complex challenges. The reality is that utility companies are more often investing in IT to drive greater levels of convenience, which means that security is sometimes addressed in a siloed fashion and deprioritised during times where budgets are scarce.
On top of this, cyber security attacks have ramped up in volume and ferocity since the COVID-19 pandemic began a year ago. This recent attack should serve as an important wake-up call for all those who have a role to play in securing critical embedded systems that these days threat actors will stop at nothing to cause harm, sometimes regardless of whether there is a financial gain to be had. The only way to keep the enemy out is to ensure you have good cyber hygiene practices in place, as well as cutting edge cyber security solutions that can detect, protect and deter this sort of attack in the future.
Mike Campfield, VP and GM International and Global Security Programs, ExtraHop
For years we’ve been talking about potential cyber threats to critical infrastructure, mostly in the context of nation-state attacks. Russia has perpetrated a number of these attacks against Ukrainian infrastructure since at least 2014, using them to both bring Ukraine to heel as well as demonstrate to the rest of the world the types of attacks of which they are capable.
On the one hand, the fact that the attacks on major US pipelines were perpetrated by cyber criminals using ransomware seems like a stroke of luck. If it were a nation-state, the damage would likely have been much, much, worse. On the other hand, this should serve as a terrifying warning: if cyber criminals with far less sophisticated cyber capabilities than nation-state adversaries can take out 45 percent of the US East Coast fuel supply, the time to act to protect these assets is now. The European Commission is already exploring ways to protect against threats to critical infrastructure and more harshly punish those who target infrastructure. In February it was reported that the European Council is considering treating cyber attacks as terrorist attacks.
It’s also worth noting that the encryption element of this attack is just the beginning. The ransomware variant involved, Darkside, is known to go well beyond encryption, mapping the environment and exfiltrating data before locking down files and systems. We’ve seen this specific variant in customer environments over the past few months, and there’s almost certainly more to this story.
Kumar Mehta, Founder and CDO, Versa Networks
While it may be inevitable for an organization to control each and every aspect of the IT systems, a regular backup of all the important files would serve the purpose of not losing valuable data when mishaps happen. To note, Darkside encrypts or deletes backed-up data as well, so companies might also need to consider improving on security posture for the backup systems involved.
Email etiquette and essential security training to employees can help contain security incidents. Additionally, email screening can help identify threats before it reaches employees.
Running endpoint detection and response (EDR) and deploying zero trust network access (ZTNA) on all endpoints and configuring the ZTNA policy to ensure that EDR is running with the latest updates is important, as well as:
Security-hardening of the domain controller
- Create replicas of domain controller, allow users to access replicas only
- Enforce firewall policies for domain controller
- Deploy EDR on domain controller
- Enforce lateral movement detection for traffic in/out of domain controller
Protection against command and control
- Block access to anonymizers, TOR proxies
- Enable IPS to detect/block other types of C&C
- Security-hardening of file shares
- Enforce firewall policies for file shares
- Deploy EDR on file shares
- Enforce lateral movement detection for traffic in/out of file shares
- Protect access from file shares to backup servers
Using multilayer protection: a recent survey concluded that using multiple products facilitates organizational security better than relying on a single breed of product. Classifying network in layers can help organize security response as appropriate and reduce the attack surface.
Implement password policy and internal zoning of files to control access to files and folders. Employ lateral movement detection for East-West traffic.
Apply security patches: applications can introduce security loopholes and can be a problem for organizations. Always patch applications when security updates are made available.
Neil Stobart, Vice President, Global System Engineering, Cloudian
The recent cyber attack on the largest fuel pipeline in the US has shown that ransomware can pose a critical risk not only to businesses but also to national industrial infrastructure. In this case, the attack could affect the lives of millions of American citizens and businesses as the pipeline carries 45 percent of the East Coast's supply of diesel, gasoline and jet fuel.
Attacks such as this shouldn't come as a surprise, as ransomware has become the biggest cyber security threat over the past year. Cases like Colonial’s, where cyber criminals threaten to delete all the data taken hostage from the victim's network, demonstrate how important it is for organizations in all sectors to focus on not only preventing attacks but also ensuring they are able to recover should their defences fail.
One of the best ways to protect data from ransomware attacks is at the storage level by creating an immutable backup copy. This prevents malware from encrypting the data. If your organization gets hit by ransomware, you can quickly and easily recover the unchanged backup copy without paying the ransom, thereby ensuring business continuity and, in this particular case, minimal impact to people’s lives.
Ran Pugach, Chief Product and Development Officer, Ava Security
The Colonial Pipeline incident highlights the increasing risk ransomware is posing to critical national industrial infrastructure, and the physical consequences that these attacks can have on society. Especially with more than 90 percent of attacks involving human error, according to the UK’s Information Commissioner’s Office, securing critical national infrastructure against social engineering attacks is essential. We’ve seen similar attacks like this, when the Florida water treatment facility was hacked through TeamViewer.
In order to prevent ransomware attacks like this, organizations need to embrace a new approach built around the user as the rise of remote working makes us more exposed than ever. Hackers are experts in social engineering and will use whatever information they can to leverage multiple entry points or avenues to achieve their goals. This can be through malicious emails or suspicious websites. A preventative approach to ransomware protection leverages user education and cyber awareness. Installing end-point detection and response tools is a good first step. These solutions are essential in helping to not only salvage the situation but to be able to investigate and understand where the vulnerability was and how to prevent it in the future. Nevertheless, they have to be complemented with further safeguards that can capture anomalies, understand and correct user behaviour.
Ed Macnair, CEO, Censornet
The Biden administration has to be commended for quickly passing emergency legislation. However, this incident clearly points to the fact that cybercriminals are outpacing governments.
Defenders need to win this arms race, because the systems which power civilisation are genuinely in peril unless we manage to beat the cybercriminals. Unfortunately, the omens are not good. Ransomware is going to become a bigger problem in the future because it’s so lucrative for criminals.
Attacks like this remind us that the systems which enable modern living are extremely vulnerable to cyber attack - which means our entire society is at risk.
When critical infrastructure is targeted, it can cause problems that go way beyond the reputational damage businesses suffer during a data breach. Hackers could literally tear down the pillars of modern life with one targeted attack, so we need serious government action to protect critical systems.
Organizations that are concerned should start by installing tough email security to stop phishing emails get through. Small businesses must also pay attention – because they are just as much of a target as large corporations.
Calvin Gan, Senior Manager, F-Secure Tactical Defense Unit
We used to separate cybercrime versus physical world crime and view the impact differently. Even legislation is more documented for physical crime, compared to cybercrime where we are now slowly maturing. However, if there’s one thing the pandemic has changed, is the acceleration rate of cybercrime. With convergence of technologies being connected through the Internet, we now have a concrete view of how cybercrime impact has spread not only across the Internet but also to the physical world.
Attacks such as ransomware on CNI is just one example of how cyber crime can affect people directly or indirectly. With emergency laws needed to be passed to respond to cyber attacks, this is a clear sign that there is now increased interest by attackers to target these industries. The larger the impact to people or nations, the more pressure it is for these organizations to pay up or act upon the breach. This serves as motivation for attackers to continuously target them because they know it has the ability to push them ‘into the corner’ of paying up.
While it’s easier said than done, reducing a successful attack is a role to be played by everyone and comes in all angles; from increased user general awareness to beefing up security measures in organizations, and having the right response plan in place with law enforcement being better equipped to track cyber criminals, and legislation being more robust in prosecuting cyber criminals. We should perceive cyber criminals similar to how we perceive a criminal in the physical world.
James Smith, Head of Penetration Testing, Bridewell Consulting
There’s debate over whether companies should pay ransoms - but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored.
With these types of attacks, the data has probably been stolen already, before it was encrypted and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.
If organizations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the ‘pay or not pay’ question is greatly reduced.
John Vestberg, co-founder and CEO, Clavister
The DarkSide ransomware attack on the Colonial Pipeline highlights the increasing risk cyber criminals pose to critical national infrastructure (CNI). CNI, such as oil and gas, is a prime target for these ransomware gangs – systems are underpinned by a myriad of complex information and operational technology devices and so the consequences if these are infiltrated can be devastating. Attacks on CNI risk may become the norm if action is not taken.
A proactive, rather than reactive approach is needed. Using predictive analytics and tools like AI or ML, for example, we can see malware morphing and behaving in certain ways and catch it sooner. The DarkSide attack should serve as a warning; CNI systems are becoming more sophisticated and technical – especially as we enter the era of 5G which we will soon rely on. Going forward countries, cannot afford to have any weak spots and must step up their cyber security solutions to support the technology used.
Steve Forbes, Government Cyber Security Expert, Nomient
The declaration of a state of emergency due to cyber attack could become the new normal. With the largest fuel pipeline in the US grinding operations to a halt due to a ransomware attack, the attack on Colonial is likely to have a ripple effect across the globe.
The attack will be a stark reminder of how connected our world now is. While the demand for oil across the US East Coast is evident, the fact that this is already impacting the financial markets and traders, demonstrates that it really is the tip of the iceberg. That’s not to mention the fact that the severity of this breach will worsen if confidential information is leaked, as the group has threatened. Being able to take systems offline and begin a process of restoration is undeniably important, but there is an additional threat if this data is exposed. It underlines the importance of international collaboration to bring down these highly coordinated groups early in their development if we want to protect our critical services.
As we watch the domino effect of this cyber attack, it is very apparent that impact is not limited to systems and software - victims will come in all shapes and sizes, from industries to individuals.
Miles Tappin, VP of EMEA, ThreatConnect
The ransomware attack against the Colonial Pipeline company not only shut down operations across one of the US’s most crucial 5,500-mile energy infrastructures but it exposed a significant weakness in the national cyber security strategy that has been 20 years in the making.
This latest incident should be a red line for US critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although much work has gone into hardening industrial control systems during the last decade, they remain vulnerable to a wide variety of cyber threats because of connections between business and operational networks.
There are now malicious actors who are characterising themselves as bona fide businesses with their own set of ethics, but who are themselves not in control of their overall impact due to the interconnectedness of businesses and operational networks. These interconnections lay bare the networks that power the economy and way of life - networks that now face cyber attacks and adversaries increasing in sophistication.
he growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of individual businesses an urgent priority. Critical infrastructure cyber security must adopt a risk-led security strategy backed by a real-time decision and operational support system to ensure it can mitigate future threats.
Vladimir Kuskov, Head of Threat Exploration, at Kaspersky
DarkSide is a typical case of cybercriminal groups involved in ‘Big Game Hunting’. Their stated goal is to make money. They work in a manner similar to affiliate partner schemes – offering their ransomware ‘product’ to ‘partners’ which may, in turn, buy access to organizations from other hackers and then use it to deploy ransomware. Unlike some other groups, Darkside claims to have a code of conduct: they do not attack hospitals, schools, government institutions and non-commercial organizations. Interestingly, DarkSide published a statement on their leak site. Judging by their statement, it appears that they did not expect such consequences and attention after the latest attack on the Colonial Pipeline.
There are versions of DarkSide ransomware for Windows and Linux. Both versions have a secure cryptographically scheme so the decryption is not possible without the criminal’s key.
Previously they had used the same decryption keys for multiple victims, which allowed security companies to make a decryption tool that helped victims to recover their files without paying the ransom. DarkSide responded to that situation and ‘fixed’ this problem so new victims do not have the option anymore.
Targeted ransomware attacks have become more common in the past couple of years and organizations need to focus on protecting themselves and their networks to avoid falling victim to such attacks. We advise not exposing remote desktop services to public networks unless absolutely necessary and always using strong passwords. Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network and always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities. On top of that, focus your defence strategy in detecting lateral movements and data exfiltration to the Internet and paying special attention to the outgoing traffic to detect cybercriminals connections. Having regular up to date backups of systems is key to a speedy recovery from a ransomware attack.